(openvpnas) openvpnas module install tests

dtapiacl · dtapiacl · commit 02fc62a1ea20 · 2025-10-21T17:45:46.000-03:00
diff --git a/Puppetfile b/Puppetfile
@@ -30,6 +30,7 @@ mod 'lsst/java_artisanal', '3.4.1'
 mod 'lsst/kubectl', '1.2.0'
 mod 'lsst/maven', '3.1.0'
 mod 'lsst/nm', '0.3.0'
+mod 'lsst/openvpnas', git: 'https://github.com/lsst-it/puppet-openvpnas', ref: '026a9c4'
 mod 'lsst/pi', '1.0.0'
 mod 'lsst/powertop', '0.1.2'
 mod 'lsst/rke', '2.1.0'
diff --git a/hieradata/role/openvpnas.yaml b/hieradata/role/openvpnas.yaml
@@ -0,0 +1,6 @@
+---
+classes:
+  - "profile::core::common"
+  - "profile::core::openvpnas"
+
+profile::core::openvpnas::version: "3.0.1_84b60e70"
diff --git a/site/profile/manifests/core/openvpnas.pp b/site/profile/manifests/core/openvpnas.pp
@@ -0,0 +1,89 @@
+# @summary
+#   Installs OpenVPN Access Server and configures LDAP + default groups.
+#
+# @param version
+#   Sets version lock for OpenVPN package.
+#
+# @param bind_pw
+#   Optional. LDAP bind password for OpenVPN Access Server.
+#
+class profile::core::openvpnas (
+  String[1] $version,
+  Optional[String[1]] $bind_pw = undef,
+) {
+  include profile::core::letsencrypt
+
+  # Host FQDN
+  $fqdn = fact('networking.fqdn')
+
+  # Signed Certificate Location
+  $le_root = "/etc/letsencrypt/live/${fqdn}"
+
+  $ldap_pw = pick($bind_pw, 'testpassword')
+
+  # Generate and sign certificate
+  letsencrypt::certonly { $fqdn:
+    plugin      => 'dns-route53',
+    manage_cron => true,
+  }
+
+  # Configure OpenVPN Access Server
+  class { 'openvpnas':
+    manage_repo         => true,
+    version             => $version,
+    versionlock_enable  => true,
+    versionlock_release => '1.el9',
+    manage_service      => true,
+    manage_web_certs    => true,
+    cert_source_path    => $le_root,
+    require             => Letsencrypt::Certonly[$fqdn],
+
+    config => {
+      # Define LDAP settings FIRST
+      'auth.ldap.0.enable'            => 'true',
+      'auth.ldap.0.name'              => 'Rubin LDAP Servers',
+      'auth.ldap.0.server.0.host'     => 'ipa1.cp.lsst.org',
+      'auth.ldap.0.server.1.host'     => 'ipa1.ls.lsst.org',
+      'auth.ldap.0.bind_dn'           => 'uid=svc_openvpnas,cn=users,cn=accounts,dc=lsst,dc=cloud',
+      'auth.ldap.0.bind_pw'           => $ldap_pw,
+      'auth.ldap.0.users_base_dn'     => 'cn=accounts,dc=lsst,dc=cloud',
+      'auth.ldap.0.add_req'           => 'memberOf=cn=vpn,cn=groups,cn=accounts,dc=lsst,dc=cloud',
+      'auth.ldap.0.user_exists_check' => 'true',
+      'auth.ldap.0.use_ssl'           => 'never',
+      'auth.ldap.0.ssl_verify'        => 'internal',
+      'auth.ldap.0.timeout'           => '4',
+      'auth.ldap.0.uname_attr'        => 'uid',
+      'auth.ldap.0.def_group'         => 'vpn-default',
+      'vpn.server.group_default'      => 'vpn-default',
+      'auth.local.0.enable'           => 'false',
+    },
+  }
+
+  # Set the authentication module type AFTER LDAP servers are defined
+  exec { 'set-auth-module-ldap':
+    command => '/usr/local/openvpn_as/scripts/sacli -k auth.module.type -v ldap ConfigPut && /usr/local/openvpn_as/scripts/sacli start',
+    path    => ['/usr/local/openvpn_as/scripts', '/usr/bin', '/usr/local/bin'],
+    unless  => '/usr/local/openvpn_as/scripts/sacli ConfigQuery | grep -q \'"auth.module.type": "ldap"\'',
+    require => Class['openvpnas'],
+  }
+
+  # Create vpn-it and vpn-default groups
+  exec { 'create_openvpn_groups':
+    command => '/usr/local/openvpn_as/scripts/sacli --user vpn-it --key "type" --value "group" UserPropPut &&
+                /usr/local/openvpn_as/scripts/sacli --user vpn-it --key "group_declare" --value "true" UserPropPut &&
+                /usr/local/openvpn_as/scripts/sacli --user vpn-default --key "type" --value "group" UserPropPut &&
+                /usr/local/openvpn_as/scripts/sacli --user vpn-default --key "group_declare" --value "true" UserPropPut &&
+                /usr/local/openvpn_as/scripts/sacli start',
+    path    => ['/usr/local/openvpn_as/scripts', '/usr/bin', '/usr/local/bin'],
+    unless  => '/usr/local/openvpn_as/scripts/sacli UserPropGet | grep -q "vpn-default"',
+    require => Exec['set-auth-module-ldap'],
+  }
+
+  # Grant admin role to vpn-it
+  exec { 'grant_admin_to_vpn_it':
+    command => '/usr/local/openvpn_as/scripts/sacli --user vpn-it --key "prop_superuser" --value "true" UserPropPut && /usr/local/openvpn_as/scripts/sacli start',
+    path    => ['/usr/local/openvpn_as/scripts', '/usr/bin', '/usr/local/bin'],
+    unless  => '/usr/local/openvpn_as/scripts/sacli --pfilt vpn-it UserPropGet | grep -q "prop_superuser.*:.*true"',
+    require => Exec['create_openvpn_groups'],
+  }
+}
diff --git a/spec/classes/core/openvpnas_spec.rb b/spec/classes/core/openvpnas_spec.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'profile::core::openvpnas' do
+  on_supported_os.each do |os, os_facts|
+    # Only test AlmaLinux 9 for now
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      let(:facts) do
+        os_facts.merge(
+          networking: {
+            fqdn: 'foo.example.com',
+          }
+        )
+      end
+
+      let(:fqdn) { facts[:networking][:fqdn] }
+      let(:le_root) { "/etc/letsencrypt/live/#{fqdn}" }
+
+      context 'with default parameters' do
+        let(:params) do
+          {
+            version: '3.0.1_84b60e70',
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+
+        it do
+          is_expected.to contain_letsencrypt__certonly(fqdn).with(
+            plugin: 'dns-route53',
+            manage_cron: true
+          )
+        end
+
+        it do
+          is_expected.to contain_class('openvpnas').with(
+            manage_repo: true,
+            version: '3.0.1_84b60e70',
+            versionlock_enable: true,
+            versionlock_release: '1.el9',
+            manage_service: true,
+            manage_web_certs: true,
+            cert_source_path: le_root,
+            require: "Letsencrypt::Certonly[#{fqdn}]"
+          )
+        end
+      end
+    end
+  end
+end
diff --git a/spec/hosts/roles/openvpnas_spec.rb b/spec/hosts/roles/openvpnas_spec.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+role = 'openvpnas'
+
+describe "#{role} role" do
+  on_supported_os.each do |os, os_facts|
+    next unless os =~ %r{almalinux-9-x86_64}
+
+    context "on #{os}" do
+      lsst_sites.each do |site|
+        describe "#{role}.#{site}.lsst.org", :sitepp do
+          let(:node_params) do
+            {
+              role:,
+              site:,
+            }
+          end
+          let(:facts) { lsst_override_facts(os_facts) }
+
+          it { is_expected.to compile.with_all_deps }
+
+          include_examples('common', os_facts:, site:)
+        end # host
+      end # lsst_sites
+    end # on os
+  end # on_supported_os
+end # role
